12
votes

I have multiple Web APIs deployed in Azure without applying authentication, so anyone has access to internet has the access to the Web APIs.

Now I would like to apply authentications to the Web APIs, instead of implementing the same authentication logic in different Web APIs, I found Azure API gateway (API management) is a potential solution.

With Azure API management documentation, I learned I can apply policies like validate-jwt to authenticate requests to back end Web APIs. However, endpoints of the back end Web APIs are still available to users.

So, how should I hide them? Must I define a sub network or does Azure API management have a feature for this?

7

7 Answers

8
votes

Recently I also had this same problem. Finally I found the solution by using 'IP Restrictions' function. See the following steps:

1) Go to your API management Overview page in Azure portal, copy the VIP. API management Overview page

2) In your Web APP > Networking networking

3) Paste in your VIP paste vip

6
votes

Microsoft's Solution: How to secure back-end services using client certificate authentication in Azure API Management

Using this approach, any attempt to access a back-end service without the required certificate will result in a 403 - Forbidden response.

You can use a self-signed certificate as opposed to using a trusted CA signed certificate ($$). I chose to implement an Azure Key Vault where I generated a new certificate, downloaded it as a *.PFX file, and uploaded it into my API Management instance as described in the article.

5
votes

Here is an answer from @PramodValavala-MSFT
https://github.com/MicrosoftDocs/azure-docs/issues/26312#issuecomment-470105156

Here are options:

p.s. in my case I want with IP restrictions since it allows to keep all of the auth on the API Management Gateway.

1
votes

Or you could use:

  1. Basic auth
  2. Mutual certificate auth
  3. VPN

to secure Azure API Management service communication with your backend service.

1
votes

Look into setting up TLS on Azure API Management so that all connections to your backend API must come through the API proxy.

0
votes

Azure API management cannot modify your backend service. It's role is limited to being a proxy.

You will have to apply authentications to each Web API or configure your firewall to accept requests only from Azure APIM.

0
votes

Is your backend app an Azure Function app or an App Service app?

If so, Managed Identity may be the simplest way to restrict access. No need to store client secrets/certificates in the API Management + not as flaky as IP whitelisting method.

  1. Create an Azure Active Directory Application for the Function App.
  2. Enable Authentication/Authorization module on the Function App and reference the AAD app from step 1.
  3. Enable a Managed Identity on the APIM instance.
  4. Add a <authentication-managed-identity> policy to the APIM and reference the AAD app from step 1.

I've blogged about this approach in more detail in Restrict Azure Functions to API Management with Terraform

Reference: